Security system for television signal encryption

ABSTRACT

A conditional access system for over-air transmission and reception of scrambled television signals improves the reliability of the reception by transmitting a key signal for use in descrambling the television signal in a block of information which is itself encyphered by the key signal. On reception, the receiver after decyphering of the block of information compares the key signal recovered from the block with the key signal provided at the receiver for decyphering the block. Descrambling will only be allowed if comparison shows the two key signals to be the same. The system also provides for information relating to the credit status of each user to be transmitted over-air. In order to ensure rapid operation, the credit status signal is sent repeatedly and a further signal is appended which is used at the receiver to prevent repeated accumulation of credit. An alternative arrangement is for the transmitter to transmit a signal indicative of the total sum of credit ever purchased by a user and for the user&#39;s receiver to include a counter for accumulating all charges for programs viewed. A simple comparison between the two signals is sufficient to establish whether or not the viewer may view a program.

The present invention relates to a security system for television signalencryption, usable in the transmission and reception of televisionsignals in either digital or sampled analogue form. In particular, theinvention relates to such a security system which can provide aneffective payment monitoring facility whereby relevant information canbe transmitted, for example, in a satellite broadcasting channel. Theinvention may be used in the encryption of a multiplexed analoguecomponent (MAC) television signal.

The present invention is a development of certain aspects of the systemdescribed in our co-pending application U.S. Ser. No. 317796, andreference is directed thereto.

PAY-PER-VIEW

Pay-per-view is a very important feature which all subscriptiontelevision services should contain. Typically, the decision to watch aprogramme is made in the few minutes before a service is broadcast. Thisfactor of human behaviour could be very important to the economics ofproviding a new type of public service broadcasting. If the customer hasto decide well in advance which programmes he will watch the viewer willtend to make a conservative estimate for his entertainment budget.Pay-per-view can be offered quite simply by including a meter in thereceiver. A payment is made by the viewer to the broadcaster who thentransmits the payment to the customer's receiver in the form of`electronic` over-air credit. The over-air credit is sent with theviewers validation signal and it is entered into the meter in hisreceiver. A money store is provided for each television channel and thestore is decremented by a cost code which accompanies the televisionsignal. In this way a viewer is able to gain immediate access toprogrammes and furthermore, he only pays for those programmes that hewatches.

Over-air credit provides a convenient and economical means oftransferring credit units into a store in the receiver. However, inorder that the system operates securely certain facts have to be takeninto account:

(i) how to make the transfer of credit units securely;

(ii) how to inform the receiver that it has already received a specifiedquantity of credit units when the same quantity is being repeatedlytransmitted;

(iii) how to detect whether the data bits which represent the creditunits have been received correctly in the presence of noise; and

(iv) how to prevent the missed reception of credit units, which are partof a standing order, when the customer leaves the receiver switched offfor a time longer than the payment period (such as when the customergoes away on holiday).

The present invention is able to cope effectively with factors (i) to(iii). Factor (iv) is catered for provided a very large number of creditunits are not missed.

Features and advantages of the invention will become apparent from thefollowing description of a preferred embodiment thereof, given by way ofexample, and when taken in conjunction with the accompanying drawings,in which:

FIG. 1 shows a block diagram of the signal paths in atransmitter/receiver system in accordance with one embodiment of theinvention;

FIG. 2 is a diagram for explaining the statistics for validation ofnon-unique information; and

FIGS. 3a and 3b show a technique for producing cipher text that hascertain properties which are desirable in the invention.

The arrangement to be described, specifically with reference to FIG. 1,involves a technique by which over-air credit information may be sentsecurely under conditions of low signal-to-noise ratio, such as in anoisy satellite channel. A predetermined quantity of credit units(hereinafter referred to as "money") are sent to each customer perpayment interval, encrypted in the transmitted signal, and entered in ameter in the receiver. The meter is decremented upon reception of aprogramme cost code in the transmitted signal. In this way, a fullpay-per-view service can be made available to all categories ofcustomer. The service can be organised on a pre-payment basis bytransmitting appropriate credit units upon payment in advance by thecustomer.

In accordance with the preferred technique, the following steps must bemade in order to transmit securely money to each receiver for entry inthe meter. The techniques described may also be applied when the systemis used for tiering or a basic subscription.

In FIG. 1, a television signal A is scrambled by an encryption key Sprior to transmission in a scrambling circuit 10. For security reasonsthe key S hereinafter called the session key is itself encrypted in asecond circuit 11 by a further key P hereinafter termed the period keyand the encrypted session key P(S) is also transmitted. The session keyS and the period key P are generated by key generator circuits 12 and 14respectively and both keys are changed periodically but with the sessionkey S being changed more frequently than the period key P.

Rather than directly transmitting the period key to a user so that hecan use it to obtain the session key S and thus unscramble thetelevision signal, it is proposed to generate in a circuit 16 anadditional key called the distribution key D which will be madeavailable to the user and to encrypt the period key P in a circuit 17 bythe distribution key D prior to transmission. Thus far the arrangementis basically the same as that disclosed in our co-pending applicationU.S. Ser. No. 8317796. However, we propose to transmit informationrelating to the credit status of each user over air in addition to thescrambled signal and the various keys. To do this, a cost code generatorcircuit 20 generates a signal C indicative of the cost of each programand this signal is transmitted with the television signal. In order toprevent tampering with this signal at the receiving end, the signal C isencrypted prior to transmission and it is preferred to encrypt it withthe period key P in an encryption circuit 21.

It is further proposed to transmit information M relating to the amountof credit held by each user and this is best achieved by generating theinformation M in a customer money circuit 22, adding it to the periodkey P in a manner to be described later and encrypting P+M with thedistribution key D in the circuit 17. For reasons given later, acustomer money label circuit 24 generates a money label ML which is alsofed to the circuit 17 and is added to P+M to form P+M+ML and it is thisblock of information which is encrypted with the distribution key D andtransmitted to the receiver.

At the receiver, the received signal D (P+M+ML) is fed to a decryptioncircuit 30 where the distribution key D, supplied to the user either inthe form of a SMART card or a chip built into the user's receiver or insome other way, is used to decrypt P+M+ML. The period key P is used todecrypt the session key S in a decryption circuit 31 but is alsosupplied to a further decryption circuit 32 in order to recover the costcode C which is used to decrement a counter 33 which is used as a meter.

As will be explained in more detail later, the cost code C has added toit prior to transmission a further predetermined code which whenreceived is checked in order to determine whether or not thetransmission has been successful. It is preferred to use the period keyP itself as the code and thus at the receiver, the circuit 33 recoversboth the cost code C and the period key P which is checked in acomparison circuit 34 with the period key recovered in the circuit 30from the received signal D(P+M+ML).

It will be recalled that credit information is included in the signalD(P+M+ML) and the circuit 30 recovers the money information M as well asthe money label M. The money label ML is stored in a circuit 35 whilethe money information M is used to increment the counter 33. Should thecounter read zero, an inhibit signal is produced by the counter 33 whichis fed to a gate circuit 36 to prevent the session key S from beingapplied to a descrambling circuit 37 which is used to decramble toscrambled television signal.

OVER-AIR CREDIT INFORMATION

Money which is sent over-air cannot simply be encrypted with a key K inthe form K(MONEY). This is very insecure since the message MONEY is notunique. Let us assume that MONEY is a code which represents amonotonically increasing amount of transmitted money. Supposing thebroadcaster sent the digital code all zeros, to represent a transmissionof zero credit to a customer. Encrypting this information with the key Kproduces some bit pattern for K(MONEY). An unauthorised user (pirate)can simply add money to his receiver without knowledge of the key K bysimply altering the bit pattern of K(MONEY). When the receiver decryptsthe new message with the secret key K a new plain text message isproduced which must be non-zero. This is because there only exists aone-to-one mapping of the cipher text into the plain text. Since theoriginal cipher text message meant `zero money`, changing the ciphertext message must produce a code which indicates that a non-zero amountof money has been transmitted. Hence a pirate has added money to hisreceiver, although he does not know the amount.

The way to overcome this problem is to append a key to the money. Thereceiver will then only accept the money signal provided it has foundthe correct appended key. This is achieved by sending the signal D(M+P),where D is the distribution key, M the money and P the period key.Reference is directed to the aforementioned application U.S. Ser. No.8317796 for more details of this. Clearly, if the receiver is tovalidate the money bits (M) with the period key (P) it must be sure thatthe period key has been received correctly. This can be achieved by thesignal P(X+CODE), where x conveys some other information which is notunique, such as cost codes and date information.

The signal CODE is a large number of bits and unique. The signal CODE isbest made equal to the value of the period key. This gives greatersecurity since the period key is a signal that changes with time and iskept secret. This idea uses the fact that there is an extremely goodchance that the correct period key has been received if the signalP(X+P) can be decrypted with said received period key to yield the samedecryption key--i.e. the period key P.

Furthermore, in the same way that the period key P was used to checkthat the money bits M were correct in the signal PD(M+P), the period keyP is also used to check that the message X is correct. Hence the valueof X may be made equal to any plain text message. A typical signal thatrequires protection is the programme cost code (C). Hence the signalP(C+P) which is shown in FIG. 1 is used to check that the cost code (C),the period key (P) have all been received correctly. Since the periodkey (P) is known to have been received correctly the money bits (M) inthe signal D(M+P) are also checked correctly. A further refinement is tocombine the signals P(S) and P(C+P) to form the signal P(C+S+P), thisthen allows the period key to check that the session key (S) has beenreceived correctly as well.

PROGRAMME CHARGING METHODS

There are two methods of decrementing the receiver's meter in order topay for programmes. The first method causes small credits to be consumedduring every 10 second period of the programme. The second method causesan amount equivalent to the total programme price to be consumed whenthe decision to receive that programme is made by the customer. In orderto prevent multiple payment for the same programme a number is given toeach programme and this programme number is stored in the receiver whenthe credit is consumed. Retransmissions of the same programme may bemade with either the same or a different programme number depending uponwhether an additional charge is to be made for further receptions of thesame programme item. There are 256 programme numbers which repeat afterone month; a date stamp keeps a record of the month and may also be usedto record when payment was made for the programme. All of the aboveinformation which will be called x, and is sent encrypted with theperiod key P in the manner previously described as P(x+P). The periodkey performing the dual role of both encrypting the information andperforming a check on the correct reception of the information.

SECURITY

It is assumed that the pirate cannot obtain his distribution key (D). Hecan only obtain the distribution key by breaking into his set, in whichcase he would be able to obtain free television anyway. Therefore, hisonly method of attack, assuming he cannot break the encryptionalgorithm, is to alter the cipher text D(M+P) in order to obtain a validperiod key with a different code for the money (M). The statisticaldiscussion below with reference to FIG. 2 shows that the probability ofbeing able to change the money bits (M) but still retain the same periodkey (P) is given by: ##EQU1##

The same theory applies to other essential signals that are coded inthis form. Furthermore, the same principles apply whether the ciphertext is altered by a pirate or erroneously received from the satellite.

Referring to FIG. 2, the encryption process provides a one-to-onemapping between n cipher text bits and n plain text bits. The customerbits are only valid provided that the correct period key (P) has beenreceived. This protocol needs to be adopted since each combination ofthe customer bits contains a valid message. Since there are only m bitsassigned to the period key, m<n. There will be, in general, severalmappings of the cipher text block into the same period key. This willresult in a different, but valid, customer word having a valid periodkey. A pirate may try to alter his customer bits; in order to gain moneyfor example. He does not know the key (K), but let us assume that hetries to alter the cipher text in order to `fool` the decoder intoproducing the same period key with a different customer word. In orderto effect this process he tries many cipher text combinations. If thenumber of combinations that he has to try is made impossibly large, hewill have negligible probability of producing his wanted result.

There are a total of 2^(n) combinations of n cipher text bits. One ofthese combinations, the one sent to the pirate, is of no interest. Hencethere are a total of 2^(n) -1 alternative combinations which might yieldthe desired result of leaving the m bit period key unaltered.

Now assuming each mapping is equally likely, the probability of findingan alternative combination which leaves the period key unaltered isgiven by: ##EQU2## wherein n₁ =number of alternative mappings of ciphertext into plain text leaving period key unaltered, and n₂ =total numberof alternative mappings of cipher text into plain text.

There are a total of 2^(n) mappings of the cipher text into the plaintext. There are a total of 2^(n-m) mappings that leave m bits unaltered,n>m. Since one of these mappings is of no interest there are a total of2^(n-m) -1 alternative mappings which produce an unchanged m bit periodkey.

Therefore, ##EQU3## now for m=0, p=1; as expected since the message isnot protected with the period key in this case.

for n=m, p=0; as expected since there exists only a one-to-one mappingof cipher text into plain text.

for n-m>1; n and m being positive integers, p=1/2^(m) ; this is theusual case to consider.

In this case, a period key of 56 bits yields

p=1/2⁵⁶ 1.4×10⁻¹⁷ i.e. there is a negligible probability of the eventhappening.

For the methods described herein, it is essential that the sharedmessage block is adequately encrypted. A stream cipher cannot be usedsince both the magnitude and the position of the plain text informationmust be destroyed. A block or feedback cipher should be used and musthave the following property. If one bit of the cipher text is altered, anumber of bits of the plain text will be altered, under the same key,and these altered bits will be evenly distributed over the plain textmessage. FIG. 3a shows schematically how long blocks may be cipheredusing a number of 64 bit sub-blocks. Each sub-block is a 64 bit blockcipher.

The essential feature is to overlap the sub-blocks and form anintermediate stage. The final cipher text block is guaranteed to havethe properties described above by reversing the direction in which thesub-blocks are overlapped during the second stage. The same technique offorming an intermediate stage and reversing the direction in which thealgorithm is performed for the second stage can be applied to cipher fedback in order to achieve the necessary cipher text properties. Cipherfeedback is a well known technique and the technique of reciphering thecipher text in the reverse direction is shown in FIG. 3b.

MONEY LABEL

The transmission of the money must be accompanied by a date stamp ormoney label. A money label is just a date stamp of limited length. Themoney label (ML) is used to ensure that the money is only entered intothe meter once during a payment period. This is required because themonetary information is repeated several times during the course of apayment interval. After the money has been entered along with the labelfurther receptions of more money, having the same money label areinhibited; this is shown in FIG. 1. The money label (ML) takes the formof a two bit number which is appended to each individual customer'smoney bits (M). Hence the money labels appropriate to individualcustomers will change at different rates.

In practice a date stamp also needs to be included in the plain textmessage to prevent fraudulent replays of old cipher text. However, forthe sake of clarity this is not shown in any of the Figures.

An alternative and possibly better method of preventing the receiverfrom continuously entering the same payment, which does not involve theuse of money labels, is as follows. Instead of sending the new paymentincrement, the total sum of all payments ever sent to the broadcaster istransmitted over-air. The security device then merely subtracts thepreviously stored payment from the transmitted payment in order to findthe actual payment. This method has the advantage that the rate ofmaking payments to the broadcaster does not need to be kept in step withthe rate of receiving over-air credit tokens. However, the method wouldnormally require many bits to be used for the payment and this woulddramatically increase the validation cycle time. A slight refinement tothe principle overcomes the problem of the long cycle time and this isas follows. The total sum of all payments ever made is still sent--butin modulo 256 form; hence only eight bits are required. Since the totalsum can only increase, and fraudulent replays of old payments areprevented by means of the date stamp, the following algorithm can beused. If the transmitted sum is greater than the stored sum thedifference is taken as before. However, if the transmitted sum is lessthan the stored sum an overflow must have occurred and 256 is added tothe difference calculations. The technique assumes that no more than oneoverflow will occur. This can be safely assumed if the monetary value of256 tokens is extremely large. Furthermore, the stored total sum valuerepresents a useful compact means of representing received over-aircredit payments in the case of a dispute. Clearly the same principalapplies to any modulus and 256 is only given by way of example.

The above described embodiment discloses two major features incombination namely the use of the period key to encrypt a signalcontaining the period key in order to check correct transmission andreception and the use of a money label which is transmitted with themoney signal in order to prevent multiple accumulations of the moneysignal. Although this latter feature is not claimed in independent formin the following claims, the applicants reserve the right to file at alater date such claims as they consider appropriate to this feature.

I claim:
 1. Apparatus for securely transmitting a scrambled informationsignal to a receiver, comprising:means for scrambling an inputinformation signal; means for transmitting the scrambled informationsignal; means for generating a first encryption key required at saidreceiver to enable descrambling of said transmitted scrambledinformation signal; means for generating a second encryption keyindicative of an authorized receiver; means for forming a first block ofinformation including the first encryption key; first encryption meansfor encrypting the first block of information using the secondencryption key to provide a first encrypted signal; means for forming asecond block of information including the first encryption key; secondencryption means for encrypting the second block of information usingthe first encryption key to provide a second encrypted signal; andmeansfor transmitting the first and second encrypted signals with thetransmitted scrambled information signal to enable detection in saidreceiver of transmission errors in the keys.
 2. Apparatus according toclaim 1, and further comprising means for generating information fortransmission with the scrambled information signal, and wherein one ofthe means for forming a first block of information and the means forforming a second block of information is arranged to include theinformation in the block of information formed thereby to enabledetection in said receiver of transmission errors or tampering with theinformation.
 3. Apparatus according to claim 2, and further comprisingmeans for generating further information for transmission with thescrambled information signal, and wherein one of the means for forming ablock of information includes the information in the block formedthereby and the other of the means for forming a block of informationincludes the further information in the block formed thereby to enabledetection in said receiver of transmission errors or tampering with theinformation or the further information.
 4. Apparatus according to claim2, wherein the means for generating information generates a signalindicative of the cost to a receiver of the information signal. 5.Apparatus according to claim 3, wherein the means for generatinginformation generates a signal indicative of the cost to said receiverof the information signal, the means for generating further informationgenerates a signal indicative of the credit status of a receiver and themeans for forming a first block of information includes the creditstatus signal in the first block of information.
 6. Apparatus accordingto claim 5, wherein the means for transmitting the first and secondencrypted signals repeatedly transmits the first encrypted signal, andfurther comprising means for generating a label signal, and the meansfor forming a first block of information includes the label signal inthe first block of information.
 7. Apparatus according to claim 6,wherein the means for generating a label signal also generates a signalindicative of a date and/or time associated with the credit statussignal.
 8. Apparatus according to claim 5, wherein the means forgenerating further information generates a signal indicative of thetotal sum of credit of said receiver for which payment has been made. 9.Apparatus according to claim 5, wherein the means for generating furtherinformation also generates a signal indicative of the credit status ofsaid receiver in modulo m form.
 10. Apparatus according to claim 1,wherein the means for transmitting the scrambled information signal andthe means for transmitting the first and second encrypted signalsbroadcast said signals.
 11. Apparatus according to claim 1, furthercomprising means for generating a third encryption key, furtherencryption means for encrypting the third encryption key using the firstencryption key to provide a third encrypted signal, and means fortransmitting the third encrypted signal, and the scrambling meansscrambles the input information signal under the control of said thirdencryption key.
 12. Apparatus according to claim 1, further comprisingmeans for generating a third encryption key, and wherein the means forforming a second block of information includes the third encryption keyin the second block of information, thereby enabling detection in areceiver of transmission errors in the third encryption key, and thescrambling means scrambles the input information signal under thecontrol of the third encryption key.
 13. Apparatus for receiving ascrambled information signal and for descrambling the scrambledinformation signal in response to detection that a first encryption keyrequired to enable descrambling has been correctly received,comprising:means for receiving a scrambled information signal; storagemeans for storing a second encryption key; means for receiving a secondsignal comprising a first block of information, including a firstencryption key, encrypted by the second encryption key; first decryptionmeans for decrypting the second signal using the stored secondencryption key to recover the first encryption key from the first blockof information; means for receiving a third signal comprising a secondblock of information, including the first encryption key, encrypted bythe first encryption key; second decryption means for decrypting thethird signal using the first encryption key recovered from the firstblock of information to recover the first encryption key from the secondblock of information; comparison means for comparing the firstencryption key recovered from the first block of information with thefirst encryption key recovered from the second block of information todetect transmission errors; and means for descrambling the receivedscrambled information signal enabled by correct reception of a firstencryption key.
 14. Apparatus according to claim 13, wherein one of themeans for receiving a second signal and the means for receiving a thirdsignal receives a signal comprising an encrypted block of informationincluding information.
 15. Apparatus according to claim 13, wherein themeans for receiving a second signal receives a signal comprising anencrypted first block of information including information and the meansfor receiving a third signal receives an encrypted second block ofinformation including further information.
 16. Apparatus according toclaim 14, wherein the means for receiving a third signal receives anencrypted second block of information including information indicativeof the cost of the scrambled information and the second decryption meansrecovers the cost signal, and further comprising storage means, and thesecond decryption means outputs the recovered cost signal to saidstorage means to alter the contents thereof.
 17. Apparatus according toclaim 15, wherein the means for receiving a second signal receives anencrypted first block of information including information indicative ofthe credit status of the receiver, the means for receiving a thirdsignal receives an encrypted second block of information includingfurther information indicative of the cost of the scrambled information,the first decryption means recovers the credit status signal, the seconddecryption means recovers the cost signal, and further comprisingstorage means, and wherein the first and second decryption means outputthe recovered credit status signal and the recovered cost signal to saidstorage means to alter the contents thereof.
 18. Apparatus according toclaim 17, wherein the storage means outputs a disabling signal to thedescrambling means when the stored contents have a predetermined value.19. Apparatus according to claim 17, wherein the block of informationcontains an inhibiting signal and the first decryption means recoversthe inhibiting signal, and further comprising an inhibiting circuitresponsive to the inhibiting signal to inhibit the altering ofinformation in said storage means in response to a further reception ofan encrypted first block of information including the credit signaladded to the same inhibiting signal.
 20. Apparatus according to claim17, wherein the first block of information contains a signal indicativeof the total sum of credit associated with a respective receiver and thefirst decryption means recovers the total sum of credit signal, andfurther comprising means for comparing the existing total sum of creditwith the current credit sum and controlling operation of the apparatusas a result of said comparison.
 21. Apparatus according to claim 13, andfurther comprising means for receiving a fourth signal comprising athird encryption key encrypted by the first encryption key, thirddecryption means for decrypting the fourth signal using the firstencryption key recovered from the first block of information and forapplying the recovered third encryption key to the descrambling means tocontrol descrambling of the scrambled information signal.